Unit42 has yet another write-up on ClickFix with TTPs and IOCs. Maybe consider blocking Win + R and Win + X. @badsamurai has had good results with this.

https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/

#threatIntel

@cR0w number of users who miss Win + R/X: 0

I really wanted to remap R to a local .html warning and triage page, but that shortcut is seriously baked-in. All of my solutions were not appropriate for an enterprise.

@badsamurai that’s a brilliant idea ngl

@meadxmoon so I don't block Win + X shortcut as it's not easily enabled/disabled in the registry the same way as R. I found it easier to simply remove/rename the shortcuts in the WinX folder for the user profile. And you can't easily redirect it to a new shortcut because it requires a registered hash to appear in WinX--a good thing!

Bonus of this mitigation is when ClickFix instructions ask a user to right-click the Start menu to access WinX.

I really wish I could remap these shortcuts to a custom warning/education page without making scripts that look like malware.

@cR0w @badsamurai where does the article show prevention/blocking options? I've scrolled my fingers off on mobile but can only see the reitaration of the technique in reeeeally long form...

@badsamurai @meadxmoon could you point me to implementarion details?

@buherator I don't see any in the article but @badsamurai has talked about them on here and has a slide deck with them: https://github.com/BadSamuraiDev/Clikki-Tikki-Tavi

@buherator @cR0w after some feedback from a user group I'm fixing my script to include some logic around what happens if there's an existing custom PowerShell profile. I had exactly 1 in my org, so it's something I didn't consider.

I'd say the key is to make sure these scripts are also making modifications to the HKEY_CURRENT_USER because some orgs, larger than mine, have reported issues with the disabling of R consistently working with just HKEY_LOCAL_MACHINE.